Noname manuscript No. 

(will be inserted by the editor) 



Multi-Trial Guruswami— Sudan Decoding for Generalised 
Reed Solomon Codes 

Johan S. R. Nielsen • Alexander Zeh 



February 1, 2013 



Abstract An iterated refinement procedure for the Guruswami-Sudan list decoding 
algorithm for Generalised Reed-Solomon codes based on Alekhnovich's module min- 
imisation is proposed. The method is parametrisable and allows variants of the usual 
list decoding approach. In particular, finding the list of closest codewords within an 
intermediate radius can be performed with improved average-case complexity while 
retaining the worst-case complexity. 
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1 Introduction 

Since the discovery of a polynomial-time hard-decision list decoder for Generalised 
Reed-Solomon (GRS) codes by Guruswami and Sudan (GS) [12. 7] in the late 1990s, 
much work has been done to speed up the two main parts of the algorithm: inter- 
polation and root-finding. Notably, for interpolation Beelen and Brander [2] mixed 
the module reduction approach by Lee and O'Sullivan [8] with the parametrisation of 
Zeh et al. [13], and employed the fast module reduction algorithm by Alekhnovich [1]. 
Bernstein [4] pointed out that a slightly faster variant can be achieved by using the 
reduction algorithm by Giorgi et al. [6]. 

For the root-finding step, one can employ the method of Roth and Ruckenstein [11] 
in a divide-and-conquer fashion, as described by Alekhnovich [1]. This step then be- 
comes an order of magnitude faster than interpolation, leaving the latter as the main 
target for further optimisations. 

For a given code, the GS algorithm has two parameters, both positive integers: the 
interpolation multiplicity s and the list size £. Together with the code parameters they 
determine the decoding radius r. To achieve a higher decoding radii for some given 
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GRS code, one needs higher s and I, and the value of these strongly influence the 
running time of the algorithm. 

In this work, we present a novel iterative method: we first solve the interpolation 
problem for s = t = 1 and then iteratively refine this solution for increasing s and I. 
In each step of our algorithm, we obtain a valid solution to the interpolation problem 
for these intermediate parameters. The method builds upon that of Beelen-Brander [2] 
and has the same asymptotic complexity. 

The method therefore allows a fast multi-trial list decoder when our aim is just to 
find the list of codewords with minimal distance to the received word. At any time dur- 
ing the refinement process, we will have an interpolation polynomial for intermediate 
parameters s < s, I < t yielding an intermediate decoding radius f < r. If we perform 
the root-finding step of the GS algorithm on this, all codewords with distance at most 
f from the received are returned; if there are any such words, we break computation 
and return those; otherwise we continue the refinement. We can choose any number 
of these trials, e.g. for each possible intermediate decoding radius between half the 
minimum distance and the target r. 

Since the root-finding step of GS is cheaper than the interpolation step, this multi- 
trial decoder will have the same asymptotic worst-case complexity as the usual GS using 
the Beelen-Brander interpolation; however, the average-case complexity is better since 
fewer errors are more probable. 

This contribution is structured as follows. In the next section we give necessary pre- 
liminaries and state the GS interpolation problem for decoding GRS codes. In Section 3. 
we give a definition and properties of minimal matrices. Alekhnovich's algorithm can 
bring matrices to this form, and we give a more fine-grained bound on its asymptotic 
complexity. Our new iterative procedure is explained in detail in Section .4. 

2 Preliminaries 

2.1 Notation 

Let W q be the finite field of order q and let F g LY/] be the polynomial ring over F g with 
indeterminate X. Let Vq[X, Y] denote the polynomial ring in the variables X and Y 
and let wdeg M v X l Y = ui + vj be the (u, n)-weighted degree of X l Y- > . 

A vector of length n is denoted by v = (vq, . . . ,v n — i). If v is a vector over 
F<j[A], let degv = maxi{degt)j(X)}. We introduce the leading position as LP(v) = 
maxj{i| degVi(X) — degv} and the leading term LT(v) = i>lp( v ) is the term at this 
position. An m x n matrix is denoted by V = ||J!Lq . The rows of such 
a matrix will be denoted by lower-case letters, e.g. vo,...,v TO _i. Furthermore, let 
degV = ^"ii] 1 d e 6 v i- Modules are denoted by capital letters such as M. 

2.2 Interpolation-Based Decoding of GRS Codes 

Let cxq, . . . , ct n -\ be n nonzero distinct elements of ¥ q with n < q and let Wo, ■ ■ ■ , w n -\ 
be n (not necessarily distinct) nonzero elements of Vq. A GRS code Q1ZS(n, k) of length 
n and dimension k over V q is given by 



GTZS(n, k) ^ {( Wo /(a ),...,™„_i/K-i)) : f{X) € V q [X], degf(X) < k} . (1) 
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GRS codes are Maximum Distance Separable (MDS) codes, i.e., their minimum Ham- 
ming distance is d = n — k + 1. We shortly explain the interpolation problem of GS [£, 
12] for decoding GRS codes in the following. 

Theorem 1 (Guruswami-Sudan for GRS Codes [7,12]) Let c £ GTZS(n,k) be 
a codeword and f(X) the corresponding information polynomial as defined in (JJ. Let 
r = (tq, . . . , r„_i) = c + e be a received word where weight(e) < r. Let r[ denote ri/wi. 

Let Q(X,Y) £ W q [X,Y] be a nonzero polynomial that passes through the n points 
(ao,rQ), . . . , (a„_i, r n _i) with multiplicity s > 1, has Y -degree at most £, and 
wdeg lijfe _ x Q(X,y) < s(n-r). Then (Y - f(X)) \ Q(X,Y). 

One can easily show that a polynomial Q(X, Y) that fulfils the above conditions can 
be constructed whenever E(s,£,t) > 0, where 

E(s, t, r) 4 (I + l)s(n - r) - (k - 1) - ( s +> (2) 

is the difference between the maximal number of coefficients of Q(X, Y), and the num- 
ber of homogeneous linear equations on Q(X, Y) specified by the interpolation con- 
straint. This determines the maximal number of correctable errors, and one can show 
that satisfactory s and £ can always be chosen whenever r < n— yj n(k — 1) (for n — > oo 
see e.g. [7]). 

Definition 2 (Permissible Triples) An integer triple (s,£,t) £ (Z_|_) 3 is permissi- 
ble ifE(s,l,r) > 0. 

We define also the decoding radius-function t(s,£) as the greatest integer such that 
(s,£,t(s,£)) is permissible. 

ft is easy to show that E(s,£,t) > for s > £ implies r < [ "9 fc J , which is half 
the minimum distance. Therefore, it never makes sense to consider s > £, and in the 
remainder we will always assume s < £. Furthermore, we will also assume s,£ £ 0(n 2 ) 
since this e.g. holds for any r for the closed-form expressions in [7]. 

2.3 Module Reformulation of Guruswami-Sudan 

Let M s 1 C Fq [X, Y] denote the space of all bivariate polynomials passing through the 
points (ao, r' ), . . . , (a„_x, r' n _ 1 ) with multiplicity s and with K-degree at most I. We 
are searching for an element of M s £ with low (1, k — l)-weighted degree. 

Following the ideas of Lee and O' Sullivan [8], we can first remark that M s g is 
an Fgpf] module. Second, we can give an explicit basis for M s g. Define first two 

polynomials G(X) = Y12=o i-^- ~ a i) as weu as ^(-^0 as the Lagrange polynomial going 
through the points (a,-, r[) for i = 0, . . . , n — 1. Denote by Qui (X) the F'-coefficient of 
Q(X,Y) when Q is regarded over F 9 [X][y]. 

Lemma 3 Let Q(X,Y) e M sd . Then G(X) s_t | Q [t] (X) fort < s. 

Proof Q(X, Y) interpolates the n points (a^, r[) with multiplicity s, so for any i, Q(X + 
«j, Y + r'j) = X]j=o a -j)(y r j)"' nas no monomials of total degree less than 

s. Multiplying out the (Y + r^-terms, Qm(X + ctj)Y t will be the only term with 
y-degree t. Therefore Q^(X + ocj) can have no monomials of degree less than s — t, 
which implies (X — a,) | Qm(X). As this holds for any i, we proved the lemma. □ 
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Theorem 4 The module M s £ is generated as an W q [X] -module by the £+1 polynomials 
P W (A, Y) E V q [X,Y] given by 

P (t) pf,V) = G(X) S -\Y -R(X))\ forO<t<s, 
P (t) (A, Y) = Y*~ S (Y - R{X)) S , for s<t<£. 

Proof It is easy to see that each P (t) (X, Y) E M sX since both G(X) and (Y - R(X)) 
go through the n points (cti, rj) with multiplicity one, and that G(X) and (Y — P(X)) 
divide P^{X,Y) with total power s for each t. 

To see that any element of M s £ can be written as an Fq[A]-combination of the 
pW(X, Y), let Q(X, Y) be some element of M 3jt . Then the polynomial Q^ r \x, Y) = 
Q(X,Y) - Q {l] P^\X,Y) has Y-degree at most t - 1. Since both Q(X,Y) and 
P (£) (X,Y) are in M s j, so must Q^- X \X,Y) be in Since P (t) (X,Y) has Y- 

degree f and P$ (X) = 1 for t = I, I — 1, . . . , s, we can continue reducing this way until 
we reach a Q^ S_1 ^(X, Y) E M s g with Y-degree at most s — 1. From then on, we have 
Pm(X) = G(X) S "', but by Lemma 3, we must also have G(X) \ Q^Z^iX), so we can 

also reduce by P (s_1) (X, Y). This can be continued with the remaining P^ '(X, Y), 
eventually reducing the remainder to 0. □ 

We can represent the basis of M s g by the (I + 1) x (I + 1) matrix A s ,i — 

||Py? {X , Y)||^f j_ over F g [Jf]. Any Fq [X]-linear combination of rows of A s j thus 

corresponds to an element in M s ( by its tth term being the F g [X]-coefficient to Y . 
All other bases of M s ^ can be similarly represented by matrices, and these will be 
unimodular equivalent to A s e, i-e., they can be obtained by multiplying A s £ on the 
left with an invertible matrix over F g [A]. 

Extending the work of Lee and O'Sullivan [8], Beelen and Brander [2] gave a fast 
algorithm for computing a satisfactory Q(X, Y): start with A s £ as a basis of M s £ and 
compute a different, "minimal" basis of M s £ where an element of minimal (1, k — 1)- 
weighted degree appears directly.^. 

In the following section, we give further details on how to compute such a basis, 
but our ultimate aims in Section _4 are different: we will use a minimal basis of M s £ 
to efficiently compute one for M. £ for s > s and £ > I. This will allow an iterative 
refinement for increasing s and £, where after each step we have such a minimal basis 
for M s £. We then exploit this added flexibility in our multi-trial algorithm. 

3 Module Minimisation 

Given a basis of M s £, e.g. A Sj £, the module minimisation here refers to the process 
of obtaining a new basis, which is the smallest among all bases of M s j in a precise 
sense. We will define this and connect various known properties of such matrices, and 
use this to more precisely bound the asymptotic complexity with which they can be 
computed by Alekhnovich's algorithm. 

Definition 5 (Weak Popov Form [10] ) A matrix V over ¥ q [X] is in weak Popov 
form if an only if the leading position of each row is different. 

Actually, in both [8,2], a slight variant of A s ,i is used, but the difference is non-essential. 
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We are essentially interested in short vectors in a module, and the following lemma 
shows that the simple concept of weak Popov form will provide this. It is a paraphrasing 
of \X, Proposition 2.3] and we omit the proof. 

Lemma 6 (Minimal Degree) // a square matrix V over ¥ q [X] is in weak Popov 
form, then one of its rows has minimal degree of all vectors in the row space of V. 

Denote now by Wg the diagonal [l + 1) x (£ + 1) matrix over F 9 LY]: 



Since we seek an element of minimal (1, k — l)-weighted degree, we also need the 
following corollary. 

Corollary 7 (Minimal Weighted Degree) Let B G F 9 LY] (f+1)x(f+1) be the ma- 
trix representation of a basis of M s g. If BW( is in weak Popov form, then one of the 
rows of B corresponds to a polynomial in M s i with minimal (1, k — l)-weighted degree. 

Proof Let B = BWg. Now, B will correspond to the basis of an Fg LY]-module M 
isomorphic to M s £, where an element Q(X, Y) G M 8 n is mapped to Q(X, X k ~ 1 Y) G 
M. By Lemma (x, the row of minimal degree in B will correspond to an element of M 
with minimal X-degree. Therefore, the same row of B corresponds to an element of 
M s i with minimal (1, k — l)-weighted degree. □ 

We introduce what will turn out to be a measure of how far a matrix is from being 
in weak Popov form. 

Definition 8 (Orthogonality Defect [9]) Let the orthogonality defect of a square 
matrix V over V q [X] be defined as D(V) = degV — degdet V. 

Lemma 9 If a square matrix V over ¥ q [X] is in weak Popov form then D(V) = 0. 

Proof Let vo, . . . , v m _i be the rows of V G F g LY] mxm and Vi$, . . . , Vi m _\ the el- 
ements of v^. In the alternating sum-expression for detV, the term J^^q 1 LT(v^) 
will occur since the leading positions of v.; are all different. Thus degdet V = 
J^^q 1 deg LT(v.i) = degV unless leading term cancellation occurs in the determi- 
nant expression. However, no other term in the determinant has this degree: regard 
some (unsigned) term in det V, say t — v.^ a ^ for some permutation a G S m - 

If not a(i) — LP(vi) for all i, then there must be an i such that a(i) > LP(v^) since 
a(j) is the same for all a G S m - Thus, degv i a ^ < degt^ LP(vi)- ^ s none of the 
other terms in t can have greater degree than their corresponding row's leading term, 
we get degt < X^c/ degLT(vj). Thus, D(V) = 0. However, the above also proves 
that the orthogonality defect is at least for any matrix. Since any matrix unimodular 
equivalent to V has the same determinant, V must therefore have minimal row-degree 
among these matrices. □ 

Alekhnovich [1] gave a fast algorithm for transforming a matrix over ¥ q [X] to weak 
Popov form. For the special case of square matrices, a finer description of its asymptotic 
complexity can be reached in terms of the orthogonality defect, and this is essential 
for our decoder. 




(3) 
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Lemma 10 (Alekhnovich's Row- Reducing Algorithm) Alekhnovich's algo- 
rithm inputs a matrix V £ ¥ g [X] mxm and outputs a unimodular equivalent matrix 
which is in weak Popov form. Let N be the greatest degree of a term in V. If 
N 6 0(D(V)) then the algorithm has asymptotic complexity: 

0(m 3 D(V) log 2 D(V) log log D(V)) operations over¥ q . 

Proof The description of the algorithm as well as proof of its correctness can be found 
in [1] . We only prove the claim on the complexity. The method R(V, t) of [1] computes 
a unimodular matrix U such that deg(WV) < deg V — t or UV is in weak Popov form. 
According to [Lj Lemma 2.10], the asymptotic complexity of this computation is in 
0(m 3 t log 2 t log log t). Due to Lemma ^ we can set t = D(V) to be sure that UV is in 
weak Popov form. What remains is just to compute the product UV. Due to [1^ Lemma 
2.8], each entry in U can be represented as p{X)X d for some d € No and p(X) £ ¥ q [X] 
of degree at most 2t. If therefore N G 0(D(V)), the complexity of performing the 
matrix multiplication using the naive algorithm is 0(m 3 D(V)). □ 

4 Multi-Trial List Decoding 

4.1 Basic Idea 

Using the results of the preceding section, we show in Section 4.2 that given a basis of 
M s £ as a matrix B s £ in weak Popov form, then we can write down a matrix C\ t+l 
which is a basis of M s i+\ and whose orthogonality defect is much lower than that 
of Ag^+x- This means that reducing C l s £ +1 to weak Popov form using Alekhnovich's 
algorithm is faster than reducing A St £+i- We call this kind of refinement a "micro-step 
of type I" . In Section 4.3. we similarly give a way to refine a basis of M s £ to one of 
M s _|_i .i+i, and we call this a micro-step of type II. 

If we first compute a basis in weak Popov form of M\^\ using A\i, we can perform a 
sequence of micro-steps of type I and II to compute a basis in weak Popov form of M s i 
for any s,£ with £ > s. After any step, having some intermediate s < s, £ < £, we will 
thus have a basis of M. g in weak Popov form. By Corollary 7j we could extract from 

B. I a Q(X, Y) € M. p with minimal (1, k — l)-weighted degree. Since it must satisfy 
the interpolation conditions of Theorem X and since the weighted degree is minimal 
among such polynomials, it must also satisfy the degree constraints for f = r(s,£). By 
that theorem any codeword with distance at most f from r would then be represented 
by a root of Q(X,Y). 

Algorithm 1 is a generalisation and formalisation of this method. For a given 
GlZS(n, k) code, one chooses ultimate parameters (s,£,t) being a permissible triple 
with s < £. One also chooses a list of micro-steps and chooses after which micro-steps 
to attempt decoding; these choices are represented by a list of Si, S2 and Root elements. 
This list must contain exactly s — £ Si-elements of and s — 1 S2-elements, as it begins 
by computing a basis for Mj. 1 and will end with a basis for M s g. If there is a Root 
element in the list, the algorithm finds all codewords with distance at most f — r(s, £) 
from r; if this list is non-empty, the computation breaks and the list is returned. 

The algorithm calls sub-functions which we explain informally: MicroStepl and 
MicroStep2 will take §,£ and a basis in weak Popov form for M. ^ and return a basis 
in weak Popov form for M. ; . respectively M. , , p , , ; more detailed descriptions for 
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these are given in Subsections 4.2 and 4.3. MinimalWeightedRow finds a polynomial of 
minimal (1, k — l)-weighted degree in M . ^ given a basis in weak Popov form (Corol- 
lary 7). Finally, RootFinding(Q, t) returns all y-roots of Q(X,Y) of degree less than k 
and whose corresponding codeword has distance at most r from the received word r. 

Algorithm 1: Multi- Trial Gurus wami-Sudan Decoding 

Input: A QlZS(n, k) code and the received vector r = (ro, . . . , r n —i) 
A permissible triple (s,£,t) 

A list C with elements in {Si, S2, Root} with s — 1 instances of S2, £ — s 
instances of Si 

Preprocessing: Calculate r i = rj/wj for all i = 0, . . . , n — 1 
Construct A11, and compute B\^\ from ^4^1 Wi using Alekhnovich's 
algorithm 

Initial parameters (§,£) (1, 1) 
1 for each c in C do 



2 

3 
4 
5 

6 

7 

8 
9 

10 
11 



if c = Si then 

B S,i+i <~ MicroStepl(s,l,B- |) 

(i,'i)<- (1,1+1) 

if c = S2 then 

e .5+ii+i «~ MicroStep2(s,i,B. |) 
(s,l) (3 + 1,1+1) 

if c = Root then 

Q(X, Y) MinimalWeightedRow(Z3. } ) 

if RootFinding(Q(X,y), t(s,1)) / then 
return this list 



Algorithm 1_ has a large amount of flexibility in the choice of the list C, but since we 
can only perform micro-steps of type I and II, there are choices of s and £ we can never 
reach, or some which we cannot reach if we first wish to reach an earlier s and t. We 
can never reach s > £, but as mentioned in Section .2^ such a choice never makes sense. 
It also seems to be the case that succession of sensibly chosen parameters can always 
be reached by micro-steps of type I and II. That is, if we first wish to attempt decoding 
at some radius t\ and thereafter continue to T2 > t\ in case of failure, the minimal 
possible Si, £1 and S2,^2 such that (si,^i,ti) respectively (s2 I ^2, T "2) ar e permissible 
will satisfy < S2 — s\ < £2 — £i- However, we have yet to formalise and prove such a 
statement. 

In the following two subsections we explain the details of the micro-steps. In Section 
4.4. we discuss the complexity of the method and how the choice of C influence this. 



4.2 Micro-Step Type I: (s,£) h-> (s,£ + 1) 

Lemma 11 If B {0) (X,Y), . . . , (X,Y) is a basis of M s g, then the following is a 
basis of M s £ + i: 



B {0) (X,Y), ... , B W (X,Y),Y^ S+1 (Y - R(X)) 



-s+l. 
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Proof In the basis of M s g+i given in Theorem 4^ the first £ + 1 generators are the 
generators of M s g. Thus all of these can be described by any basis of M s j+i - The last 
remaining generator is exactly Y i ~ s+1 (Y — R(X)) S . □ 

In particular, the above lemma holds for a basis of M s ^ + i in weak Popov form, 
represented by a matrix B s g. The following matrix thus represents a basis of M s £ + i : 



... (-R) s (Di-R) 3 - 1 ... 1 
Lemma 12 D(Cl e+1 W e+ i) = s(degi? - k + 1) < s(n - k). 

Proof We calculate the two quantities det(C* ^ +1 W£ + i) and deg(C]. p +1 W£+i) ■ It is 
easy to see that 

det(C^ +1 W f+1 ) = det B s , e det W e+1 = detB s j det W^f ^ +1)(fe_1) . 

For the row-degree, it is clearly deg(Z3 s ^W^) plus the row-degree of the last row. If and 
only if the received word is not a codeword then degT? > k, then the leading term of 
the last row must be (-R) s X ( - e+1 ~ s ^ k ~ 1 h Thus, we get 

V(Cl, e+1 m+i) = {deg(B s/ W e ) + sdegR+(£ + l-.s)(k- 1)) 
- ( dcgdet(B s ,*W,) + (£+l)(k- 1)) 
= s(dcgi? - k + 1), 

where the last step follows from Lemma 9_ as B s ^Wg is in weak Popov form. □ 

Corollary 13 The complexity of MicroStepl(s, £, B s ^) is 0(£ 3 sn log 2 n log log n). 
Proof Follows by Lemma 1Q. Since s £ 0(n 2 ) we can leave out the s in log-terms. □ 



Cs,£+1 — 



4.3 Micro-Step Type II: (s,£) >->■ (s + 1, 1 + 1) 

Lemma 14 If B^°\X,Y), . . . , (X,Y) is a basis of M s i, then the following is a 
basis of M s+ue+1 : 

G S+1 (X), B {0) (X,Y)(Y -R(X)), ... , B {e) (X,Y)(Y - R(X)). 

Proof Denote by pj® (X, Y) , . . . , pfj (X, Y) the basis of M sJ as given in Theorem 4, 
and by P^ e+1 (X, Y), Pj£$ +1 (X, Y) the basis of M s +i,e+i- Then observe that 
for t > 0, we have P^ e+1 = P^ t ~ 1] (Y - R(X)). Since the B {i) (X,Y) form a ba- 
sis of M s £, each pty is expressible as an F 9 [X]-combination of these, and thus for 
t > 0, pjfh t+1 is expressible as an ¥ q [X ]-combination of the B^(X, Y)(Y - R{X)). 
Remaining is then only P s ( °\ t+1 (X, Y) = G s+1 (X). □ 
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As before, we can use the above with the basis B s j of M s g in weak Popov form, 
found in the previous iteration of our algorithm. Remembering that multiplying by Y 
translates to shifting one column to the right in the matrix representation, the following 
matrix thus represents a basis of Af s+1 



L s+1, 





- G s+1 







' 










" 


1 — 


T 





+ 


T 




-R- 


B s ,i 


T 



(5) 



Lemma 15 D(Cf +1{+1 W £+1 ) = (£ + l)(degi? - k + 1) < (£+l)(n-k). 

Proof We compute deg(C];Yi e+iWe+i) and degdet(C^ 1 £ +1 Wf + i). For the former, 
obviously the first row has degree (s + l)n. Let bj denote the ith row of B s g and 
denote the ith row of B s jW(. The (i + l)th row of Cgt_i g +1 Wg+i has the form 

[(0 | b<) - R(bi | 0)]W /+ i = (0 | b' l )X k - 1 - Rib', | 0). 

If and only if the received word is not a codeword, then deg R > k. In this case, the 
leading term of Rb^ must have greater degree than any term in X b^. Thus the 
degree of the above row is deg R + deg . Summing up we get 

£ 

degC" +M+1 = (s + l)n + ^ dogR + degb- 

= (s + l)n + (£ + 1) deg R + deg(B s/ W £ ). 
For the determinant, observe that 

detCC^+i^+i) = det (C."+M+i) det ( w «+i) 

= G s+1 detBdetW^X (m)(fe_1) , 

where B = B Sj £—R \b s j | T j and B s j is all but the zeroth column of B Sj £. This means 

B can be obtained by starting from B s ^ and iteratively adding the (j + l)th column of 
B s ^i scaled by R(X) to the jth column, with j starting from up to I — 1. Since each 
of these will add a scaled version of an existing column in the matrix, this does not 
change the determinant. Thus, detS = deXB s g. But then detSdet We = det(23 s (V\/g) 
and so deg(det £?det Wi) = deg(B s (Wi) by Lemma 9. since B s jWi is in weak Popov 
form. Thus we get 

degdet^+M+iWf+x) = (a + l)n + deg(B s/ W £ ) + (£+ l)(k - 1). 

The lemma follows from the difference of the two calculated quantities. □ 

Corollary 16 The complexity of MicroStep2(s, £, B s £ ) is Oit^n log 2 n log log n). 
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4.4 Complexity Analysis 

Using the estimates of the two preceding subsections, we can make a rather precise 
worst-case asymptotic complexity analysis of our multi-trial decoder. The average run- 
ning time will depend on the exact choice of C but we will see that the worst-case 
complexity will not. First, it is necessary to know the complexity of performing a 
root-finding attempt. 

Lemma 17 (Complexity of Root-Finding) Given a polynomial Q(X,Y) 6 
Fq[X][y] of Y -degree at most £ and X -degree at most N, there exists an algorithm 
to find all ¥q[X]-roots of complexity C>(i? 2 iVlog 2 iV log log TV) , assuming £,q G O(N). 

Proof We employ the Roth-Ruckenstein [11] root-finding algorithm together with the 
divide-and-conquer speed-up by Alekhnovich [1]. The complexity analysis in [1] needs 
to be slightly improved to yield the above, but see [3] for easy amendments. 

Theorem 18 (Complexity of Algorithm 1) For a given Q1ZS{n, k) code, as well 
as a given list of steps C for Algorithm J_ with ultimate parameters (s,£,t), the algorithm 
has worst-case complexity 0{£^sn log 2 n log log n), assuming q £ 0(n). 

Proof The worst-case complexity corresponds to the case that we do not break early 
but run through the entire list C. Precomputing A s £ using Lagrangian interpolation 
can be performed in 0(nlog 2 nloglogn), see e.g. [5j p. 235], and reducing to B s ^ is in 
the same complexity by Lemma 10. 

Now, C must contain exactly £ — s Si-elements and s — 1 S2-elements. The com- 
plexities given in Corollaries _13_ and ,16, for some intermediate s,£ can be relaxed to 
s and I. Performing 0(£) micro-steps of type I and O(s) of type II is therefore in 
0(£^sn log 2 n log log n) . 

It only remains to count the root-finding steps. Obviously, it never makes sense to 
have two Root after each other in C, so after removing such possible duplicates, there 
can be at most £ elements Root. When we perform root-finding for intermediate §,£, 
we do so on a polynomial in M. | of minimal weighted degree, and by the definition of 
M. £ as well as Theorem 1^ this weighted degree will be less than s(n — t ) < sn. Thus 
we can apply Lemma _17_ with N = sn. □ 

The worst-case complexity of our algorithm is equal to the average-case complexity of 
the Beelen-Brander [2] list decoder. However, Theorem _18_ shows that we can choose 
as many intermediate decoding attempts as we would like without changing the worst- 
case complexity. One could therefore choose to perform a decoding attempt just after 
computing B\ i as well as every time the decoding radius has increased. The result 
would be a decoding algorithm finding all closest codewords within some ultimate 
radius r. If one is working in a decoding model where such a list suffices, our algorithm 
will thus have much better average-case complexity since fewer errors occur much more 
frequently than many. 

5 Conclusion 

An iterative interpolation procedure for list decoding GRS codes based on 
Alekhnovich's module minimisation was proposed and shown to have the same worst- 
case complexity as Beelen and Brander's [2]. We showed how the target module used 
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in Beelen-Brander can be minimised in a progressive manner, starting with a small 
module and systematically enlarging it, performing module minimisation in each step. 
The procedure takes advantage of a new, slightly more fine-grained complexity analysis 
of Alekhnovich's algorithm, which implies that each of the module refinement steps will 
run fast. 

The main advantage of the algorithm is its granularity which makes it possible to 
perform fast multi-trial decoding: we attempt decoding for progressively larger decod- 
ing radii, and therefore find the list of codewords closest to the received. This is done 
without a penalty in the worst case but with an obvious benefit in the average case. 
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